Q. How do I turn on DNS server logging so that I can see all the queries on my CentOS 4.0 server?

A. You can use rndc command which controls the operation of a name server. It supersedes the ndc utility that was provided in old BIND releases. If rndc is invoked with no command line options or arguments, it prints a short summary of the supported commands and the available options and their arguments.

rndc communicates with the name server over a TCP connection, sending commands authenticated with digital signatures. In the current versions of rndc and named named the only supported authentication algorithm is HMAC-MD5, which uses a shared secret on each end of the connection. This provides TSIG-style authentication for the command request and the name server\u2019s response. All commands sent over the channel must be signed by a key_id known to the server.

Task: Turn on logging

Type the following command as root to toggle query logging:
# rndc querylog

Task: View bind sever query log

Once this is done, you can view all logged queries usimg /var/log/messages file. To view those queries, type:
# tail -f /var/log/messages

Task: Turn off logging

Type the following command as root to toggle query logging:
# rndc querylog

🐧 Get the latest tutorials on Linux, Open Source & DevOps via RSS feed or Weekly email newsletter.

🐧 11 comments so far... add one

CategoryList of Unix and Linux commands
Disk space analyzersdf ncdu pydf
File Managementcat cp mkdir tree
FirewallAlpine Awall CentOS 8 OpenSUSE RHEL 8 Ubuntu 16.04 Ubuntu 18.04 Ubuntu 20.04
Network UtilitiesNetHogs dig host ip nmap
OpenVPNCentOS 7 CentOS 8 Debian 10 Debian 8/9 Ubuntu 18.04 Ubuntu 20.04
Package Managerapk apt
Processes Managementbg chroot cron disown fg jobs killall kill pidof pstree pwdx time
Searchinggrep whereis which
User Informationgroups id lastcomm last lid/libuser-lid logname members users whoami who w
WireGuard VPNAlpine CentOS 8 Debian 10 Firewall Ubuntu 20.04
11 comments… add one
  • Scott Dec 10, 2010 @ 20:27

    Perfect! Thanks!

  • Prasad Chandorkar Mar 1, 2012 @ 7:55


    Thanks a lot.

  • Talk May 30, 2012 @ 5:51

    Thanks a lot for this hint!!!

  • Alparslan Aug 6, 2012 @ 13:44

    is there any program or service to monitoring witch domain name is used and querying by any client.

    I want to a linux bind9 dns query log analyser etc.

    • marb7 Apr 30, 2016 @ 9:18

      Use dig by installing dnsutils… [http://packages.ubuntu.com/trusty/dnsutils]

      example output
      $ dig google.com

      ; <> DiG 9.9.5-3ubuntu0.8-Ubuntu <> google.com
      ;; global options: +cmd
      ;; Got answer:
      ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 41256
      ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

      ; EDNS: version: 0, flags:; udp: 512
      ;google.com. IN A

      google.com. 299 IN A

      ;; Query time: 43 msec
      ;; SERVER:
      ;; WHEN: Sat Apr 30 02:15:17 PDT 2016
      ;; MSG SIZE rcvd: 55

      and nmap for ports
      $ nmap google.com

      Starting Nmap 6.40 ( http://nmap.org ) at 2016-04-30 02:17 PDT
      Nmap scan report for google.com (
      Host is up (0.0043s latency).
      rDNS record for lax02s22-in-f46.1e100.net
      Not shown: 998 filtered ports
      80/tcp open http
      443/tcp open https

      Nmap done: 1 IP address (1 host up) scanned in 4.04 seconds

  • tonic Jan 9, 2013 @ 13:25

    In the case of debian system like mine (wheezy), I had to tail /var/log/syslog instead of /var/log/messages :)

    • Sayantan Khan Jun 16, 2014 @ 11:52

      Thanks a lot for that debian specific information.

  • Tony Jun 11, 2014 @ 15:57

    Excellent, thank you so much!

  • Tony Jun 26, 2014 @ 21:43

    Thank you!!!

  • IRE Jul 9, 2016 @ 12:17

    Is there a way to redirect the rndc querylog to a separate log file (where just the queries can be reside) inside of system-journal and /var/log/messages?

    This is in CentOS 7.x with chroot’ed bind.


  • Richard Johnson Feb 17, 2017 @ 10:25

    Just thought I’d add a thanks to this. I installed ntop and discovered massive spikes on UDP – by enabling this log (I didn’t know it was disabled by default) I discovered a DNS amplification attack (DDOS) on my server because I had recursion enabled in the named.conf file (my bad). Without viewing the log I would be left head scratching where the traffic was coming from.

Leave a Reply

Your email address will not be published.

Use HTML <pre>...</pre> for code samples. Still have questions? Post it on our forum